How to Disable Root SSH Login Using WHM
Posted on Updated onWhen you install WHM on a fresh server, you need to take care of most of the security aspects by yourself. The ConfigServer Firewall is a great starting point for this. One of the actions you must take early on is restricting root logins via SSH. This may seem like throwing the baby out with the bath water because there are many actions you need to take with root permissions via SSH. However, there are ways to accomplish this without resorting to a direct root login. So why is this important? What harm is there if you have a secure enough password?
The problem lies in the fact that the “root” user name is a constant across all boxes which means that attackers only need to guess one part of the equation. It’s kind of like having the “admin” user name enabled in WordPress. Attackers can constantly probe your application with different passwords while being confident that the username is accurate. Apart from the fact that someone might accidentally guess your password, it also creates a constant strain on your server having to repeatedly validate perhaps thousands of logins at a time. Here’s an example of an SSH window with root logins enabled:
If you’ve configured your security firewall correctly, you should start getting e-mails notifying you of brute force attacks on your server. In just a short span of time, you can suddenly receive hundreds of notifications as I found out soon enough. Here’s a screenshot of my Gmail inbox swamped with them:
The “lfd” that you see, is the “Login Failure Daemon” which scans the log file entries and warns you of brute force attacks. To minimize this dangerous attack vector, it’s beneficial to disable root logins via SSH entirely. Here’s how you go about it.
Modifying the Config File
One thing that WHM misses is a solid file explorer. Earlier, I had talked about using the ConfigServer Explorer written by the same guys who maintain the ConfigServer Firewall. But you can use any editor of your choice including the default SSH “vi”. The file that we’re looking for is called:
/etc/ssh/sshd_config
Note the “d” at the end of the first part of the filename. There’s another one called “ssh_config” without it. Using the file explorer/editor of your choice, open up this file after creating a backup just in case something happens. Once you have it in front of you, search for the following line:
#PermitRootLogin no
Remove the “#” symbol in front of it so that it is no longer a comment as shown in the screenshot below. Once done, save and exit.
Even though the configuration for SSH has changed, this by itself does not make the changes effective immediately. We need to manually restart the service so that it reloads the updated configuration file. Fortunately, we can do this easily from within WHM itself. Search for the “Restart Services” section within WHM on the left-hand side and scroll down to the “SSH Server (OpenSSH)” option at the end.
Click it and confirm that you want to restart the service:
This will take a few seconds. Once you have the confirmation, power up your SSH program once again and try and login as root. If everything goes correctly, you should now get an “Access Denied” message when you try and login as the root user.
This takes care of the root SSH access vulnerability. But now how do you perform root level operations via SSH without being able to login as such? The answer is to allow other users to take over the root functionality and profile while bypassing WHM’s inherent restriction on such an action. We’ll take a look at how to do that in the next article.
Nice writeup but you really should preface this with a big warning to make sure people have set up another user with root permissions before telling them to remove their root SSH access.
I’m thinking you should have posted the Enable Root Operations with the Wheeler Group post first and then followed up with this one. ;)
None the less, decent guide.
That’s a good point!
I disabled root before setting up another user with permissions. Now what? Fudge!
Go to “WHM > Manage Wheel Group Users” and add a regular user account to the group. You will now be able to logon as this user and then become root using “su – root”.
Hello, just happened, locked out! managed it to get it back after 1 hour.
If you are using CSF, make sure to whitelist your IP address.
WHM > ConfigServer Security and Firewall > Firewall Allow IPs
best perfermence to secure root access when you do’nt need to ssh
thanks Bhagwad
Nice article. Someone entered to my website last Tuesday and I’m trying to make it more secure. I did the Host Access Control to avoid another IP connect to my server. Does anyone here (from the staff) could help me to install that fireware? That send me an email when someone is trying to connect, please?
Does setting the PermitRootLogin no disable the WHM Terminal function as well?
Will I still be able to access the Root via the WHM terminal once PermitRootLogin has been changed to “no”?
Thank you in advance.
You won’t be able to log as root using the terminal either. You should never be able to log directly. Create a regular user account, add it to the “Wheel” group and then use “su – root” from that account shell to become root.